Women in Information Security: Avi

Last time, I got the opportunity to speak with Diana Initiative founder Virginia Robbins, otherwise known as fl3uryz. She deserves all the kudos for her hard work in promoting women in our industry.

This time, I had the pleasure of speaking with Avi. They’re not a woman, but they certainly know what it’s like to be a gender minority in tech. Avi has a self-educated hacker background that really impresses me.

Kim Crawley: Hi Avi! Please tell me about what you do and how you got there.

Avi: I’m currently a developer, crypto nerd, and lockpicker. I got access to my first computer with a printer and floppy disks when I was 3. I wasn’t supposed to be on it, but I managed to find my way onto it, typed random sentences in, and fell in love with the sound of the printer printing on the continuous dot matrix paper. Once I got introduced to the internet when I was 5, that was it. I was already a fast typist, told everyone online I was 17, and that’s really when I first began poking around, eventually getting into coding and finding bugs in places. Physically, I was also poking around, opening doors with bobby pins starting at 6 years of age. TOOOL is a major part of my life now unexpectedly, but I did resist for a while on officially joining. Cryptography, or at least ciphers, I didn’t get into until around and after my first DEFCON in high school. My first DEFCON also influenced me to get into digital fabrication for electronic design and production, computer-controlled machining, and embedded programming.

KC: Oh wow. I’ve written for 2600 Magazine, so I can say with some authority that you have the background of a really badass hacker. Good for you!

I presume you’ve worked with CAD programs. Do they pose special cybersecurity challenges?

A: My childhood was definitely quite a bit of a messy adventure for sure.

I think with all things that there’s always going to be vulnerabilities in CAD programs. I’m not sure if I would say they pose special security challenges, but I’ve thought before of how to an unassuming maker or engineer working in a closed environment there’s likely an added risk for attackers trying to find access via undisclosed vulnerabilities or new attack surfaces. With the trend in CAD software being developed for use in browsers only, that creates new opportunities that didn’t really exist before with just standalone desktop programs. I’m personally wary and avoid the browser-only CADs.

KC: While playing around with technology, what are some important things you’ve learned about cybersecurity?

A: History repeats itself. Whether it’s faulty or lack of tests or some other accident, I tend to see the same bugs I knew that were fixed show up again eventually, whether the same use case as it was before or a variant of it. I think a lot of people tend to overthink vulnerabilities as some terrifying void in the unknown. Most of the time, they’re your basic “whoops forgot form validation”, a developer recommited past commits that contained a patched vulnerability. I think the basics get overlooked, all the way down to the lack of or poor documentation confusing people and training people what to look for and avoid doing.

I’ve also learned that some people are complicit and don’t like to do the right things until they’re made to. I’m not sure why that’s the case, but it’s bizarre watching people claim they didn’t know a vulnerability existed (sometimes for years even) and later find out that they did know the entire time. I’ll never understand that behaviour.

KC: I think sometimes development companies don’t want to spend more money on developer labour than they absolutely have to in order to have a product they can sell.

What are some misconceptions people have about what you do?

A: That bothers me personally, but I’m also not an entrepreneur needing to make a product to sell. I don’t think that behaviour should be excused, as many people do it deliberately, but I do try to step back and think of the people who do want to make a genuine product and haven’t been made aware of the security risks involved (yet).

I think the biggest misconception is that it’s too hard or too difficult to understand. It’s really not. If I can’t explain what it is I’m doing to someone in a way they understand, that’s a failure on my part and I think the industry overall. I really abhor the scare tactic marketing that’s being done more and more lately, as I feel it causes an apathy to basic security measures everyone can easily do at home themselves. The lack of empowerment and learned helplessness really bothers me, so I try to do my part in reversing that by going back to the basics of what they understand and build up from there. It’s not scary. Everyone can do this; everyone should be able to have the opportunity to do this.

That, and people assume it’s scary and illegal from misconceptions perpetuated by society as an overall or people who overhype the things I do. Once again, I go back to reassuring them the differences, what rights they do have, and I go from there.

KC: Although this series is called “Women in Information Security,” you’re not a woman, but I presume as a nonbinary person you are non-male. I only have my limited experience as a cisgender woman to go by, but I think both binary and nonbinary transgender people probably face more prejudice in the tech industry than I do. Am I correct?

A: I think before I can explain the question I’d have to define what it means to be nonbinary. It’s not the absence of gender but the lack of identifying exclusively as being masculine or feminine. For some nonbinary folks, it is the full outright rejection of gender, which is absolutely valid. But for myself, I’m a nonbinary trans guy. My experiences as a nonbinary individual with how my androgynous, feminine, and masculine parts of me exist are tied directly to my experience as a trans guy who has to be on testosterone for life.

It’s like being queer by saying “I’m queer, and everyone already knows what spaces I reside in,” yet at the same time, they don’t actually know the personal specifics, either. People don’t have to know that I’ve been hormone-deficient my entire life, that the first attempt at starting puberty with estrogen briefly was a complete catastophy, that my body has only really been going through puberty for almost four years now with testosterone, and that someday they will have to attempt adding estrogen back into my life because you know, bones and stuff are a thing. It’s complicated; bodies and people are complex and intersectional, and a single label doesn’t and can’t define all the differences that exist.

Trans and nonbinary people, regardless of what industry they’re in, face more prejudice and increased risks of violence, especially trans women of colour. At the same time, whether or not people realise this, there’s a lot of us. More than one could imagine, many of them extremely successful. I no longer believe in “passing,” but I think a lot of people would be surprised that they probably know a trans or nonbinary person: they just don’t know it. I don’t scream at the top of my lungs that I’m nonbinary and trans when I meet someone. (On Twitter, it’s in my bio mainly so it’s easy for someone who might be in the closet to spot me or someone who wants to chat about it privately, hence open DMs.) I’m not hiding myself; I’m very visibly queer, nonbinary, trans, with being androgynous. I know that there’s no way to separate my life and my experiences away from who I am. No matter what skills and abilities I have, that doesn’t matter to someone who’s already decided they don’t like that part of me.

KC: Excellent, Avi. Is there anything else you’d like to add before we go?

A: I’d say be kind, watch what you’re saying, and help the next person find their magical moment of understanding how something works. Seeing the moment that something clicked in another person’s brain after explaining it is a precious and beautiful moment. Have more of those, especially those who don’t have the same experiences and paths you took getting to where you’re at now. I promise it’s rewarding, and you also gain something out of it: they’ll surprise you in so many ways you’d have never thought of alone.

About the Author:Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.

Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.